TCP/UDP Common port number
7 Echo (PING)
9 Discard
Daytimer
19 Word Fuzhou Builder
20/TCP FTP Data
21/TCP FTP Control File Transfer Protocol
22/TCP SSH Secure Login, File transfer (SCP), and port redirection
23/tcp Telnet Unsafe Text transfer
25/tcp SMTP Simple Mail Transfer Protocol (easy Mail Transfer Protocol) (e-mail)
53/TCP Domain Name server
69/UDP TFTP Daily File Transfer Protocol (Trivial files Transfer Protocol)
70/tcp Gopher
79/tcp Finger
80/TCP WWW (HTTP Hypertext Transfer Protocol)
88/TCP Kerberos Authenticating Agent
110/TCP POP3 Post Office Protocol (post offices Protocol) (e-mail)
113/TCP ident Old Identification Server system
119/TCP NNTP Network new transport Protocol (network new Transfer Protocol) used for Usenet newsgroups
137/UDP NetBIOS Names Service (NetBIOS name Service,nbname)
138/UDP NetBIOS Datagram Service (NetBIOS Datagram Service,nbdatagram)
139/tcp NetBIOS Session service (NetBIOS Sessions service,nbsession)
161/UDP SNMP Easy Network Management Protocol (simple networking Management Protocol)
220/TCP IMAP3 Internet Messaging Access Protocol (Internet message, Access Protocol)
443/TCP HTTPS Encrypted HTTP (used for securely transferring web pages)
636/TCP LDAP Lightweight Directory Access Protocol (Lightweight Directory Access Protocol)
1080/tcp SOCKScommon port numbers for TCP/IP protocol
Keyword Port number port description
0 reserved
TcpMux0 1 TCP Port Service multiplexer
Echo 1 7 return (Echo Loopback all received data)
Discard2 9 Delete (delete all accepted data statically)
SYSTAT3 11 Current users
Daytime 13 Daytime
QUOTD 17 Daily References
Chargen 19 Generating characters
Ftp-data 20 File Transfer (default data)
FTP 21 File Transfer (control port)
Telnet 23 Remote Communication Network
SMTP 25 Simple Mail Transfer Protocol
Time 37 times
Nicname 43 who
Domain 53 name servers
BOOTPS 67 Bootstrapper Protocol Server
BOOTPC 68 Bootstrapper Protocol Client
Tftp 69 common File Transfer Protocol
Gopher Gopher
Finger 79 dialing
Www-http www-http
Kerberos-In-the-Kerberos
POP2 109 Postal Protocol version 2
POP3 110 Postal Protocol version 3
SUNRPC 111 Sun Terminal Program call
NNTP 119 Network News Transfer Protocol
NTP 123 Network Time Protocol
Netbios-ns 137 network basic input and output system naming service
NETBIOS-NS 138 network basic Input output System datagram service
NETBIOS-SSN 139 Network basic input/output system service
IMAP2 143 Intermediate Mail Access Protocol V2
SNMP 161 Simple Network Management Protocol
BGP 179 Border Gateway Protocol
Syslog 514 System Lander
Port: 0
Service: Reserved
Description: Typically used to analyze the operating system. This approach works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using the usual closed port. A typical scan with an IP address of 0.0.0.0, set the ACK bit and broadcast on the Ethernet layer.
PORT: 1
Service: Tcpmux
Description: This shows someone looking for the SGI IRIX machine. IRIX is the main provider for implementing Tcpmux, and by default Tcpmux is opened in this system. The IRIX machine is released with several default password-free accounts, such as: IP, GUEST UUCP, NUUCP, DEMOS, TUTOR, DIAG, Outofbox, etc. Many administrators forget to delete these accounts after installation. So hacker search the internet for Tcpmux and take advantage of these accounts.
Port: 7
Service: Echo
Description: You can see the information that many people send to x.x.x.0 and x.x.x.255 when they search for Fraggle amplifiers.
Port: 19
Service: Character Generator
Description: This is a service that only sends characters. The UDP version will respond to packets containing junk characters after receiving the UDP packets. A TCP connection sends a stream of data that contains garbage characters until the connection is closed. Hacker uses IP spoofing to launch Dos attacks. Forge a UDP packet between two Chargen servers. Similarly Fraggle Dos attacks broadcast a packet with a spoofed victim IP to this port on the destination address, and the victim is overloaded to respond to this data.
Port: 21
Services: FTP
Description: The FTP server is open to the port for uploading, downloading. The most common attackers are used to look for ways to open an anonymous FTP server. These servers have a read-write directory. Trojan doly ports open for Trojan, Fore, Invisible FTP, WebEx, Wincrash, and Blade Runner.
Port: 22
Service: Ssh
Description: The connection between TCP and this port established by pcanywhere may be to look for SSH. This service has many weaknesses, and if configured in a specific mode, many of the versions that use the RSAREF library will have a number of vulnerabilities.
Port: 23
Services: Telnet
Description: Telnet, the intruder is searching for services that Telnet to UNIX. In most cases, this port is scanned to find the operating system that the machine is running on. and using other technologies, intruders will also find passwords. Trojan Tiny Telnet Server will open this port.
Port: 25
Service: SMTP
Description: The port that the SMTP server is open for sending messages. Intruders look for SMTP servers to pass their spam. The intruder's account is closed and they need to be connected to a high-bandwidth e-mail server to pass simple information to different addresses. Trojan antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WINPC, winspy all open this port.
Port: 31
Service: MSG Authentication
Description: Trojan Master Paradise, Hackers Paradise Open this port.
Port: 42
Service: WINS Replication
Description: WINS replication
Port: 53
Service: Domain Name Server (DNS)
Description: The DNS server is open to ports where intruders may be trying to make zone transfers (TCP), spoof DNS (UDP), or hide other traffic. So firewalls often filter or log this port.
Port: 67
Service: Bootstrap Protocol Server
Description: A firewall with DSL and cable modems often sees a large amount of data sent to broadcast address 255.255.255.255. These machines are requesting an address from the DHCP server. Hacker often enter them, assigning an address that initiates a large number of middlemen (man-in-middle) attacks as a local router. The client broadcasts the request configuration to port 68, and the server broadcasts a response request to port 67. This response uses broadcasts because the client does not yet know which IP address can be sent.
Port: 69
Service: Trival File Transfer
Description: Many servers work with BOOTP to provide this service for easy download of boot code from the system. However, they often allow intruders to steal any file from the system due to misconfiguration. They can also be used to write files to the system.
Port: 79
Service: Finger Server
Description: An intruder is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from its own machine to other machines.
PORT: 80
Service: HTTP
Description: Used for web browsing. Trojan Executor open this port.
PORT: 99
Service: Gram Relay
Description: The Backdoor program ncx99 Open this port.
Port: 102
Service: Message transfer agent (MTA)-x.400 over TCP/IP
Description: The message transfer agent.
Port: 110
Service: Post Office Protocol-version3
Description: The POP3 server opens this port for receiving mail and client access to the server-side mail service. The POP3 service has many recognized weaknesses. There are at least 20 weaknesses in the user name and password Exchange buffer overflow, which means intruders can enter the system before a real login. There are other buffer overflow errors after successful login.
PORT: 111
Service: All ports for the RPC service of sun Company
Description: Common RPC services include RPC.MOUNTD, NFS, RPC.STATD, RPC.CSMD, RPC.TTYBD, AMD, etc.
Port: 113
Services: Authentication Service
Description: This is a protocol that runs on many computers and is used to authenticate users of a TCP connection. Using standard services, you can obtain information on many computers. However, it can be used as a logger for many services, especially FTP, POP, IMAP, SMTP, and IRC services. Often, if there are many customers accessing these services through a firewall, they will see many connection requests for this port. Remember that if you block this port the client will feel a slow connection to the e-mail server on the other side of the firewall. Many firewalls support the blocking process of TCP connections to send back the RST. This will stop the slow connection.
Port: 119
Service: Network News Transfer Protocol
Description: The News newsgroup transport protocol, which hosts Usenet communications. This port is usually connected to people looking for Usenet servers. Most ISPs limit that only their customers can access their newsgroup servers. Opening a newsgroup server will allow you to send/read anyone's posts, access restricted newsgroup servers, post anonymously or send spam.
Port: 135
Service: Location Service
Description: Microsoft runs DCE RPC end-point Mapper for its DCOM service on this port. This is similar to the functionality of UNIX 111 ports. Services that use DCOM and RPC use end-point mapper on the computer to register their locations. When a remote client connects to the computer, they find the location of the service end-point mapper. Hacker scan the computer for this port to find out if you are running Exchange Server on this computer. What version. There are also some Dos attacks directed at this port.
Ports: 137, 138, 139
Service: NETBIOS Name Service
Note: where 137, 138 is a UDP port, this port is used when transferring files over a network neighbor. and port 139: The connection entered through this port attempts to obtain the NETBIOS/SMB service. This protocol is used for Windows file and printer sharing and for Samba. And WINS Regisrtation also uses it.
Port: 143
Service: Interim Mail Access Protocol v2
Description: As with POP3 security issues, many IMAP servers have buffer overflow vulnerabilities. Remember: a Linux worm (ADMV0RM) is propagated through this port, so many of the scans of this port come from unsuspecting users who have already been infected. These vulnerabilities became popular when Redhat allowed IMAP by default in their Linux release. This port is also used for IMAP2, but it is not popular.
Port: 161
Services: SNMP
Description: SNMP allows remote management of devices. All configuration and operational information is stored in the database and is available through SNMP. Many administrator error configurations will be exposed to the Internet. Cackers will attempt to use the default password public, private access system. They may be experimenting with all possible combinations. SNMP packets may be incorrectly directed to the user's network.
PORT: 177
Service: X Display Manager Control Protocol
Description: Many intruders access the X-windows console, which also needs to open port 6000.
PORT: 389
Services: LDAP, ILS
Description: The Lightweight Directory Access Protocol and NetMeeting Internet Locator server share this port.
Port: 443
Service: Https
Description: A Web browsing port that can provide encryption and another HTTP transmission over a secure port.
Port: 456
Service: [NULL]
Description: Trojan Hackers paradise open this port.
Port: 513
Service: Login,remote Login
Description: A broadcast from a UNIX computer that logs on to a subnet using a cable modem or DSL. These have provided information for intruders to enter their systems.
Port: 544
Service: [NULL]
Description: Kerberos Kshell
Port: 548
Service: Macintosh,file Services (AFP/IP)
Description: Macintosh, File services.
Port: 553
Service: CORBA IIOP (UDP)
Description: Use the cable modem, DSL, or VLAN to see the broadcast of this port. CORBA is an object-oriented RPC system. Intruders can use this information to enter the system.
Port: 555
Service: DSF
Description: Trojan PhAse1.0, Stealth Spy, Inikiller Open this port.
Port: 568
Service: Membership DPA
Description: Membership DPA.
Port: 569
Service: Membership MSN
Description: Membership MSN.
Port: 635
Service: MOUNTD
Description: Linux mountd Bug. This is a popular bug in scanning. Most of the scans for this port are UDP-based, but TCP-based MOUNTD increases (MOUNTD runs on two ports at the same time). Remember that MOUNTD can run on any port (which port you need to do Portmap query on port 111), but the Linux default port is 635, just as NFS typically runs on port 2049.
Port: 636
Services: LDAP
Description: SSL (Secure Sockets layer)
Port: 666
Service: Doom Id Software
Description: Trojan attack FTP, Satanz backdoor Open this port
Port: 993
Service: IMAP
Description: SSL (Secure Sockets layer)
Ports: 1001, 1011
Service: [NULL]
Description: Trojan silencer, WebEx Open 1001 port. Trojan Doly Trojan Open 1011 port.
PORT: 1024
Service: Reserved
Description: It is the start of a dynamic port, and many programs do not care which port to use to connect to the network, and they request the system to assign them the next idle port. Based on this, the assignment starts at Port 1024. This means that the first request to the system is assigned to port 1024. You can restart the machine, open Telnet, and then open a window to run natstat-a and you will see that Telnet is assigned port 1024. There is also SQL session with this port and Port 5000.
Ports: 1025, 1033
Service: 1025:network Blackjack 1033:[null]
Description: Trojan Netspy open these 2 ports.
Port: 1080
Service: SOCKS
Description: This protocol passes through the firewall in a channel way, allowing people behind the firewall to access the Internet through an IP address. Theoretically it should only allow internal communication to reach the internet outside. But because of the wrong configuration, it allows an attack outside the firewall to pass through the firewall. This error often occurs in Wingate, which is frequently seen when joining IRC chat rooms.
PORT: 1170
Service: [NULL]
Description: Trojan streaming Audio Trojan, Psyber Stream Server, voice open this port.
Ports: 1234, 1243, 6711, 6776
Service: [NULL]
Description: Trojan SubSeven2.0, Ultors Trojan open 1234, 6776 ports. Trojan subseven1.0/1.9 Open 1243, 6711, 6776 ports.
Port: 1245
Service: [NULL]
Description: Trojan Vodoo Open this port.
Port: 1433
Services: SQL
Description: Microsoft SQL Services Open ports.
Port: 1492
Service: Stone-design-1
Description: Trojan ftp99cmp Open this port.
PORT: 1500
Service: RPC client Fixed port session queries
Description: RPC Client fixed port session query
Port: 1503
Service: NetMeeting T.120
Description: NetMeeting T.120
Port: 1524
Service: Ingress
Description: Many attack scripts will install a backdoor shell on this port, especially for SendMail and RPC service vulnerabilities in Sun systems. If you have just installed a firewall and see the connection attempt on this port, this is probably the reason. You can try telnet to this port on the user's computer to see if it will give you a shell. This problem also exists when connecting to 600/pcserver.
Port: 1600
Service: ISSD
Description: Trojan Shivka-burka Open this port.
Port: 1720
Service: NetMeeting
Description: NetMeeting h.233 call Setup.
Port: 1731
Service: NetMeeting Audio call Control
Description: NetMeeting audio call control.
Port: 1807
Service: [NULL]
Description: Trojan Spysender Open this port.
Port: 1981
Service: [NULL]
Description: Trojan Shockrave Open this port.
Port: 1999
Service: Cisco identification port
Description: Trojan Backdoor open this port.
Port: 2000
Service: [NULL]
Description: Trojan Girlfriend 1.3, Millenium 1.0 Open this port.
Port: 2001
Service: [NULL]
Description: Trojan Millenium 1.0, Trojan Cow Open this port.
Port: 2023
Service: Xinuexpansion 4
Description: Trojan Pass Ripper Open this port.
Port: 2049
Services: NFS
Description: NFS programs often run on this port. It is often necessary to access the Portmapper query which port the service runs on.
Port: 2115
Service: [NULL]
Description: Trojan bugs open this port.
Ports: 2140, 3150
Service: [NULL]
Description: Trojan deep Throat 1.0/3.0 Open this port.
PORT: 2500
Service: RPC client using a fixed port session replication
Description: An RPC client that applies a fixed-port session replication